Try in Splunk Security Cloud


Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Risk
  • Last Updated: 2020-04-02
  • Author: Rico Valdez, Splunk
  • ID: 9cbd34af-8f39-4476-a423-bacd126c750b


Okta is the leading single sign on (SSO) provider, allowing users to authenticate once to Okta, and from there access a variety of web-based applications. These applications are assigned to users and allow administrators to centrally manage which users are allowed to access which applications. It also provides centralized logging to help understand how the applications are used and by whom. While SSO is a major convenience for users, it also provides attackers with an opportunity. If the attacker can gain access to Okta, they can access a variety of applications. As such monitoring the environment is important. With people moving quickly to adopt web-based applications and ways to manage them, many are still struggling to understand how best to monitor these environments. This analytic story provides searches to help monitor this environment, and identify events and activity that warrant further investigation such as credential stuffing or password spraying attacks, and users logging in from multiple locations when travel is disallowed.


Name Technique Type
Multiple Okta Users With Invalid Credentials From The Same IP Password Spraying, Valid Accounts, Default Accounts TTP
Okta Account Locked Out Brute Force Anomaly
Okta Account Lockout Events Valid Accounts, Default Accounts Anomaly
Okta Failed SSO Attempts Valid Accounts, Default Accounts Anomaly
Okta IDP Lifecycle Modifications Cloud Account Anomaly
Okta Risk Threshold Exceeded Valid Accounts, Brute Force Correlation
Okta Suspicious Use of a Session Cookie Steal Web Session Cookie Anomaly
Okta ThreatInsight Login Failure with High Unknown users Valid Accounts, Default Accounts, Credential Stuffing TTP
Okta ThreatInsight Suspected PasswordSpray Attack Valid Accounts, Default Accounts, Password Spraying TTP
Okta Two or More Rejected Okta Pushes Brute Force TTP


source | version: 1